SUGGESTIONS Aastra Phones and Hosted PBX

So I'm dabbling with a hosted pbx setup using RentPBX. I've setup a number of PBIAF boxes and remote endpoints and just used various Linksys routers with Tomato and OpenVPN to link them. Short of having a static IP address and the appropriate firewall entry, is there any other way to secure remote phones and still provide provisioning/XML script access? What are you guys doing for this scenario? Not really worried about SRTP or encrypting the voice traffic, just the configs and securing the access. What are you guy doing in this scenario?

Just an idea

This is just an idea. I have never tried this. However, we have been thinking about this for a while. Our reasoning is Hosted PBX is mostly used in 20 or less extension. I personally do not mind configuring phone manually at that scale.

However, if you have to auto configure your phone. Here is the basic idea that I have. Use DD-WRT or other router that can connect to your server VPN. You need to set your internal DNS or the phone to get the provisoning file from this server with the ip address of the server VPN (not the server public IP). In your aastra configuration file, you set the SIP server with the public IP of the server.

In summary, the idea is get the xml/cfg file through the vpn connection. In the cfg, use the public ip of the server to tell the phone to connect.

When you say your server VPN, are the PBIAF images installed with OpenVPN already?

For now, I have the phones on a static IP so I just poked a whole for TFTP for that IP address. Btw, http is already open to the world, so the XML scripts are open to the world as well by default. Do you see this as a problem?

I had read that before, but forgotten about it. I may have to try this route. It would mean I'd have to touch the phones before sending them out, but that's not too much of a problem. Thanks for bringing that to my attention.

Most of Centos distribution can be set with either OpenVPN or ppptp server. The DD-WRT can act as OpenVPN and PPPTP client. You should be able to established vpn connection for your LAN to server.

I can be mistaken since I am not familiar with aastra. In the case of aastra, It may be the extension secret is encrypted. I have cisco 7940. I know for that 7940 does not encrypt the configuration file. If someone in the middle can sniff my packet, in this case, a hacker can see my extension secret.

Http is clear text format. Http authentication (there are many type) does not pass the password in clear text. Once you login, when you set your extensions in FreePBX, that secret is transmited in clear text. Again someone in the middle can sniff your packet. In this case, I would either set a proper https to your web server. Or, I personally access my configuration through ssh tunnel.

Now, you can aslo take the other approach in the reply. Using whitelist and black list is also good idea. In this case, if someone sniff your extension secret, so what. They can not connect anyway since only ip in the whitelist can access your server.

I talk about extension secret above. Your trunk sip secret is in the same way exposed when you configure your server using http. Therefore, I would really use a secure connection when you configure your server or passing configuration from your server to some devices.